đŸ Archived View for dioskouroi.xyz âș thread âș 29432276 captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
âĄïž Next capture (2021-12-05)
-=-=-=-=-=-=-
________________________________________________________________________________
In a public response, NSO has said its technology helps stop terrorism and that they've installed controls to curb spying against innocent targets. For example, NSO says its intrusion system cannot work on phones with U.S. numbers beginning with the country code +1.
So the point is to stop terrorism and to do that they've immediately ruled that all Americans aren't terrorists. That doesn't seem like a good metric of determining if someone is a terrorist, and makes me doubt their other controls are any better.
So I just have to buy a US phone to evade detection from NSO? And why didn't that logic work for US State Dept phones?
I'm honestly of the opinion there is nothing that NSO can say that isn't outright lying. This isn't a normal company in anyway.
* A US Phone will route your call via NSA servers[1], so yeah thats OK from the US governments side
* Publicly at least, NSO acknowledges there are state level agreements, the latest one with France, to block entire country codes from Pegasus (in return, France has stopped all legal action against NSO)
* According to Israeli Channel 12 reporting on this tonight, the official NSO response also includes the statement that the accused numbers in the report were not +1 numbers. Their so called "customers" were targeting US government employees using African area codes. NSO claim they have completely disconnected said customers from the system
[1]
https://en.wikipedia.org/wiki/Room_641A
The Israel government gets a pass for anything they do. Whether it is lying about nukes or what they've done to Palestine. NSO is a feather in their cap.
Why are you conflating Israel (a state) and NSO (a fully private company, owned by American private equity at some point)?
_The Israeli Ministry of Defense licenses the export of Pegasus to foreign governments, but not to private entities._
https://en.wikipedia.org/wiki/NSO_Group#Pegasus
These export controls for weapons exist in much of the western world. Once granted a license, Israel has no legal say in how the product is used by the end user.
Itâs all very routine and standard, not sure why people need basic explanations of what government export regulation is when the discussion is on Israel.
It goes much deeper than that. For a while now Israel has been using NSO as an incentive for foreign relations with authoritarian regimes.
https://www.theguardian.com/world/2021/jul/20/pegasus-projec...
https://foreignpolicy.com/podcasts/foreign-policy-playlist/h...
https://www.nytimes.com/2021/11/08/world/middleeast/nso-isra...
https://www.haaretz.com/israel-news/tech-news/.premium.HIGHL...
https://www.irishtimes.com/news/world/middle-east/how-israel...
https://www.ft.com/content/24f22b28-56d1-4d66-8f76-c9020b1b5...
https://www.jpost.com/jpost-tech/what-does-the-nso-hacking-s...
> _Why are you conflating Israel (a state) and NSO (a fully private company, owned by American private equity at some point)?_
Because Jerusalem has the power to stop, or at the very least regulate, NSO.
Sounds like you and some other "clever" souls have an axe to grind with Israel.
> "clever"
This is offensive. They outlined how they disagree with the Israeli _government_ pretty clearly in their comment.
Please don't virtue signal, or state flame wars, or use this to posture some kind of agenda.
Please don't mistake yourself for dang
Iâm not seeing any virtue signaling.
I remember reading that some Russian (private sector) computer viruses did not attack computers whose language and locale were set to Russia. It's never about ethics. It's always about making as much money as possible without pissing off powerful people and entities.
Crudely, we would say "don't shit where you eat". I've heard from the early (as in, 80's) hacking days some of the people in the US would never hit targets in their own state, as there wasn't good federal-level enforcement nor inter-state collaboration. Of course that would backfire today because you're immediately commiting crimes across state lines...
Yep, Krebs on Security wrote "Try This One Weird Trick Russian Hackers Hate" --
https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
>And why didn't that logic work for US State Dept phones
They had Ugandan numbers, as they lived in Uganda.
Yeah, this.
They started off with the arrogance of a liar who thought they were immune from consequences. Now they're looking more like the kid who is actually in trouble only now realizing nobody trusts them to identify the sky color, let alone defend themselves.
Anything and anyone coming out of that shop is tainted.
Phone hardware is not tied to any particular number.
So you just need a SIM with a US number and use that for all your evasion needs.
As an obvious statement: I think this should be interpreted similarly to some ransomware not infecting devices with RU keyboards: it's just about avoiding difficult regulatory environments.
The analogy, of course, goes further. Though unlike most ransomware companies, NSO has British and American VC funding.
Funny enough this reminds me of the ransomware that doesn't work if a cyrillic keyboard is installed.
https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
Someone else linked that one, it's hilarious and unsurprising really. Lots of people purposefully avoid certain OSes (mostly linux distros) as well out of respect NOT because of population/userbase of the OS. Lots of discussion on worm/trojan development forums over the years.
> _the point is to stop terrorism and to do that they've immediately ruled that all Americans aren't terrorists_
The alleged point is to sell software that stops terrorism. Pissing off America is a good way to stop being able to sell your software.
Reminds me of how some ransomware looks for if your default keyboard language is Russian. If so then it exits, doing nothing.
OK, so the best way to protect privacy is to get US-based phone number and install Russian keyboard as a default.
And it should have a list of sites blocked by Chinese regime downloaded as discovered by Lithuania [0], for even grater privacy.
0:
https://news.ycombinator.com/item?id=28616683
Most people don't know that the first bit of an area code is the evil bit.
https://en.wikipedia.org/wiki/Evil_bit
NSO has a deal with US Telecom to grow its market share throughout the world and hence the +1 statement. /s
Maybe NSA wants every important call goes through USA network (and hence a deal with NSO) - makes the job easier for three letter agencies.
These people are in for a world of hurt, the State Department tells the CIA what to do.
> _State Department tells the CIA what to do_
Your broader point is correct, but no, it doesn't. The CIA is an independent agency [1]. It reports to the DNI [2].
[1]
https://en.wikipedia.org/wiki/Independent_agencies_of_the_Un...
[2]
https://en.wikipedia.org/wiki/Director_of_National_Intellige...
Yes, but who dictates where and how they can play overseas?
> _who dictates where and how they can play overseas?_
The Director and Deputy Director of the CIA.
Heh, that showdown sounds like it would make for a hell of a book decades later.
"We promise we don't work on numbers with +1" :wink: :wink:
NSO has repeatedly shown that their statements are pretty much worthless. It's just damage control. I wouldn't put any stock in the "we avoid +1 numbers" to even be real.
> I wouldn't put any stock in the "we avoid +1 numbers" to even be real.
That part I believed. Setting up their software to not target the US seems like the kind of move they'd make. Claiming it's so they don't target innocent people is bullshit.
Seriously, they're pretty much the Mark Zuckerberg of their industry.
Iâd rather compare Zuckerberg to the Sackler family who knew how addictive and harmful their painkiller Oxycotin was, yet ignoring all evicence, making billions of dollars. Zuckerberg knows how bad Facebook and Instagram is, how harmful to individuals and society alike, yet ignoring that and making billions.
Edit: Replaced âsocial mediaâ with âFacebook and Instagramâ
That is not fair to Mark Zuckerberg.
They're pretty much the General Butt Naked of their industry.
America (who are effectively the world police) have decided to have pretty poor metrics to determine who is a terrorist, so they set the precedent for this kind of stuff.
Random government officials in Iran cannot be considered terrorists because of a an embassy hostage situation from 50 years ago during a revolution in the country. If they can, then so can nearly every Chinese government official, every current Russian government official who was high up in the USSR, every current official in Iraq and Afghanistan, half the political leadership of Lebanon, Vietnam, etc.
NSO Group said in a statement on Thursday that it did not have any indication their tools were used but canceled the relevant accounts and would investigate based on the Reuters inquiry.
Why would they cancel accounts without knowledge of wrongdoing?
And simultaneusly:
- not have any indication their tools were used
- canceled the relevant accounts
Which "relevant" accounts if NSO's tools weren't used?
I think it's pretty clear by now that they have 100% visibility into the entire exploitation chain for all of their customers. Their "official statements" mean nothing.
Because the US government is one of the few groups that can put real pressure on them and they're in full panic mode
Let's cancel their foreign aid, 3 Billion and change, and put a trade embargo until they pay back all their foreign aid.
Seems like not-the-smartest move for Israel to mess with one of the few powerful entities that desires its continued existence
This is just another incident in a long list that goes back decades of Israel getting carte blanche to do whatever they want to the US with little to no repercussion. The most famous probably being USS Liberty (
https://en.wikipedia.org/wiki/USS_Liberty_incident
)
Everyone knows already nothing will happen, they will get slap on the wrist as usual and show goes on.
and the one entity that give it wagons of usd.
There is 0 popular support for Israel and their "religion of peace". Biden got in soooo much trouble for saying he would divest during the election.
Arguably, this is the real use case Pegasus was designed for. A government (Uganda) that does not have a large and mature civil service that would support a G7 level technical domestic intelligence agency went to market for the tools of one (NSO), so they can keep tabs on foreign intelligence agents (state department staff) in their country. I am not a fan of NSO at all, but this case sounds like they're providing sovereignty or statecraft as a service to a government that prefers to buy instead of build their security capability.
When the game is defined as a competition for how to break its rules in the most unexpected ways and with the fewest consequences, Uganda appears to have joined in with aplomb. To me it's the first time an NSO story doesn't seem like a scandal.
Is there a timetable when Apple plans to stop using memory-unsafe languages to avoid memory-bugs? If not, how can the amount of zero-days stop with constant development?
biggest issue here isn't memory safety but the dumpster fire of imessage format that calls out to privileged parts of the system
Which is exploitable primarily it by memory safety exploits.
Will it make attacks impossible? Probably not totally. But it might raise the cost of the attack by an order of magnitude or more and certain classes of vulnerabilities might disappear completely.
It's an extremely common attack vector. PDFs, media message, etc. Would it be viable to create a dedicated processor specifically for parsing these things?
I'm suspicious of any messaging system that has ties into rich media / embedded-in-chat content. I even wish I could disable URL previews, gifs, and inline images in Signal.
I didn't know it was possible to disable URL previews in iMessage[1] until I read this comment. Does toggling this setting only prevent the preview from displaying or does it prevent the fetch altogether? I wish there were a way to white list the URL previews for certain contacts rather than turning it off all or nothing.
[1]
https://discussions.apple.com/thread/7677834
It can be your "trusted" contacts that infect you though.
"Jeff Bezos was hacked by a file sent from the WhatsApp account of the crown prince of Saudi Arabia, Mohammed bin Salman"
https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking
no question that imessage, email parsers, etc that do third party untrusted network type interactions SHOULD be memory safe. But of course they are not, and apple in particular LARDS these formats down with a million features.
You do know that memory-safe languages are developed using memory-unsafe languages, and eventually execute the binary code on the actual CPU?
A memory safe language can be written in itself.
I think it comes from that rewrite everything in Rust camp.
I don't understand the focus on NSO in these stories. If U.S State Department personnel in Uganda were shot from an M-16, would the headline mention "an American arms manufacturer"? No, because it's ridiculous.
For better or worse, NSO's product is a weapon. How is it any different from an M-16? Where is the outrage towards the people who used this weapon against the State Department?
> _don't understand the focus on NSO in these stories. If U.S State Department personnel in Uganda were shot from an M-16, would the headline mention "an American arms manufacturer"? No, because it's ridiculous._
No, because it isn't novel, it's not wide reaching, it's not at arm's length and it cannot be stopped.
Stuxnet, a novel American-Israeli cyber weapon, purpose built to hit Iran, was _absolutely_ billed as such. And it was received differently, by Iran, than would be _e.g._ an American-made gun fired by Iraqis at Iranian surrogates.
NSO is making and selling cyberweapons. They're doing it now. These weapons are hitting the U.S. government and its allies to an unknown extent. And they can be turned off, right now, if Jerusalem orders it.
U.S. persons being shot in Uganda by Kalashnikovs are none of these things. It's not novel. Nobody wonders if the Ugandans are going to show up, guns blazing, in Arlington. And Moscow can't remotely disable the guns.
It's my understanding that NSO runs centralized command and control servers that their "clients" are granted access to, for both the on-device payload installation and also data exfiltration.
They do not give the software to their clients to go use somewhere in the world fully independently (self hosted payload dropper, C&C, etc)
They're a direct participant in the network traffic. Unlike a dumb purely offline piece of hardware like a M4 rifle or similar.
So selling an F-15 to the Saudis (like the U.S is doing in droves) is more morally justifable because what exactly..? After the plane is sold the Saudis are independent with it? (they aren't really btw. I'm sure there's maintenance and buying parts etc).
None one else was talking about F-15s or drones in this thread. The only mention was of weapons that even civilians can buy is some countries and do not come with a support contract attached.
IMO the US selling F-15s or drones to the Saudis is very similar. The US shouldn't be supporting the Saudis murdering civilians with F-15s, and Israel should not be supporting hacking tools that enable other governments (or private organizations) to murder people they dont like.
I am also not in favor of selling advanced weaponry to the saudis or pretty much any non-democratic regime. The US has a very poor historical track record of supporting strongmen that do brutal things. Pinochet. Suharto. MBS. I could write a very long list.
Unlike an M-16, hacks can be conducted remotely, they can be used to plant evidence, conduct blackmail, and lots of other things where most people would never know a hack was involved.
Also, there's outrage towards NSO because Israel is supposedly an American ally. Israel needs American support, and yet Israel freely allows Israeli corporations to sell services American enemies. And this isn't an isolated company--there are other Israeli hacking companies that target Americans, such as Black Cube.
U.S. weapons manufacturers receive a lot of criticism too, both domestically in the U.S. and internationally.
The comments here focus on NSO because the story is about what NSO did. This is computer tech kind of community so youâre going to see more computer weapon stories here than stories about improper use of rifles.
> No, because it's ridiculous.
Is it really.
> I don't understand the focus on NSO in these stories
What's to understand ? It's an Israeli company. Enough said. If it was an American or German company no one would have cared. Why the obsession with Israel? It's a complicated phenomena. I think it has to do with the role Jews played in Christianity (Jesus' death etc) and the holocaust but that's just my 2 cents.
Israel is ostensibly a Western ally, yet they sell weapons that are used to attack Western nations and their citizens. Can you see why some people might consider that a problem?
Your accusations of anti-semitism are unwelcome and without merit.
The US provides substantial financial, military, and political aid to Israel, that it does not provide to Germany.
The U.S basically protects the whole of Europe by subsidizing NATO. It's probably in the trillions. Sorry but Trump had a point there. What it gives Israel is peanuts compared to that.
Without U.S support to Europe who knows what happens, maybe the Russians and Chinese start looking at Europe as easy prey to pick on.
Also the obsession with Israel isn't a uniquely American thing, it's the same in France and Canada and Germany and basically any Western country.
The attacks on NATO are such a weird thing. US support of NATO isn't a charity operation, there are strategic and economic benefits to the US from NATO participation that greatly exceed the expenses.
If the argument is that the United States shouldn't be a global power, that it should dismantle the US military and be a demure, multilateral player in the international space, sure, attack NATO. However, attacking NATO while saying the US should be a _stronger_ international player is contradictory.
Only if you count general American military spending as supporting Germany more than Israel?
Otherwise, US absolutely provides far more military spending to Israel than to Germany, it's not really comparable.
> Only if you count general American military spending
Of course I do. Europe has no real army. France kinda has an army and the U.K got out. If America didn't provide a military umbrella Europe would need to actually build a real army (Europe's contributions to NATO are pitiful). How much would it cost the Europeans to do that? Going back since WW2 that's easily in the trillions.
Given that the US actively engages in military operations in defense of Israel, I would say that it not reasonable to attribute a larger share of the spending to Germany rather than Israel?
Is there another popular spyware company being used by rogue states to perform terrorist attacks?
What is your definition of rogue states? The U.S sells weapons to the Saudis in hundreds of billions
https://en.wikipedia.org/wiki/2017_United_States%E2%80%93Sau...
.
So I should believe the U.S thinks it's OK to sell F-15 planes but not OK to sell software? I'm gonna assume yes, there are probably other players in cyber warfare who sell to these countries, probably also the U.S.
> _the U.S thinks it's OK to sell F-15 planes but not OK to sell software?_
The U.S. thinks it's okay to sell F-15s that don't attack Americans and not okay to sell software that attacks Americans. As a, granted, American, I'm not seeing the incoherence.
Attacks Americans? Come on now, don't go overboard sir.
> _Attacks Americans?_
I was delineating why the U.S. is fine with selling weapons to _e.g._ Saudi Arabia but would not be happy about those same weapons being sold by Russia to Iran. You seemed confused on that point. There isn't a grand philosophy. It's international relations. It's anarchy. The U.S. government promotes American and allied interests.
Separately, yes, if you're hacking the State Department, you're attacking the U.S. This is consistent with how cyberterrorism is treated by DNI since at least 2014.
DarkMatter seems to have done basically the same as NSO, except with an even more explicit US connection.
> DarkMatter is under investigation by the F.B.I. for crimes including digital espionage services, involvement in the Jamal Khashoggi assassination, and incarceration of foreign dissidents.[28] The F.B.I. is also investigating current and former American employees of DarkMatter for possible cybercrimes.
Doesn't look like they only target Israeli companies.
I'm waiting for the day that the US declares a foreign corporation as an "enemy combatant", as they have done with foreign citizen wahabbist jihadis and US citizens such as Anwar Al-Awlaki.
Given the extent and depth of US-Israeli cooperation and ties, the precedeing theoretical is probably going to remain in the realm of theoretical.
Didn't they get pretty close with Huawei when the previous president issued an executive order in response to state spying fears that:
* banned the sale of any of their phones or networking products in the US
* banned US companies selling product to Huawei
* cut funding to wireless carriers using Huawei equipment
...and then pressured allied countries to do the same?
The investigation into Huawei was going on for many years prior to 2016. It's not exactly an initiative of the previous president.
I sat in briefings about Huawei and ZTE in 2007. Regretfully can't say more.
They basically declared the embargoed Iranian corporations as enemy combatants a while ago, if that's what you mean.
While I find it interesting that focus in comments appears to be on Israel, NSO and the complicated ( or not really that complicated if you look at it from a different angle ) relationship between them and US. I did not see a mention a broader discussion of, you know, hoarding zero days, exploits and whether using those can be worse than conventional weaponry.
The reason I find it interesting is because it is clear that US government supports Israel ( and NSO ) practically unconditionally ( recent vote on Iron Dome being a more amusing example of bipartisanship ).
Why is Reuters, an old guard by any account, concerned? Or are they simply following what sells and government is really at odds with its people when it comes to policy in ME.
Slapping down the NSO doesn't fix the problem. We should be glad we even know that their software exists, imagine if it was completely hidden from the public? The problem is that Apple needs to fix this. Security is an arms race, and the more visibility we have into where it is weak, the better for everyone. To paraphrase the motorcycle repair episode of Winter Steele, "You are stronger now for having been fixed." IMHO.
I don't think most Apple customers know or care so despite being ostensibly "privacy focused" Apple doesn't have much of an incentive to take action.
As an American, it's becoming harder for me to muster sympathy for an entity that actively discovers and exploits technological flaws to use against their adversaries while simultaneously purposefully not alerting the manufacturers in order to correct the flaws so they can continue to exploit them and then those flaws are subsequently discovered by others and used against them. Poor you.
They shouldn't have anything to worry about, unless they have something to hide
Time to go back to rotary phones
As discussed 2 days ago here on HN
https://news.ycombinator.com/item?id=29401454
Just get calyxOS or any other privacy + security FOSS mobile operating system.
I wonder if we would be hearing about this if NSO had paid its 30% to Apple in the first place.
I thought the exploited holes were patched by iOS at some point. How are these phones still getting hacked?
Exploits are now a multi-billion dollar market. And iPhones can be obtained worldwide. You just need one person with questionable morals, good hardware hacking skills and a need for some hefty payout.
There's a lot of buyers, Five Eyes, China, Russia and naturally companies like NSO.
Because there is a never-ending supply of vulnerabilities in our smartphones.
A system this complex can never be secure no matter what google/apple PR dep claims.
People are notoriously bad at keeping their devices up to date, with some even intentionally disabling updates. This can be prevented by the IT department having MDM profiles with strict update enforcement in place, but I donât have much hope that the IT department of any given US government office is particularly capable or competent.
The article doesn't say if they were personal or work provided phones. Many people living/working overseas have work and personal phones. Also, almost all of those with personal phones get a local SIM, so they'd get a local non-US (not +1) phone number. I used to be an IT admin with DOS overseas. Updates were enforced, and phones were disabled if they were not upgraded to the most recent version. Starting in about 2019, mobile device security went into overdrive and is very serious now. Additionally, the MDM profiles are quite limiting, so this pushed most people to get personal phones. A huge pain for records retention.
Imagine that sinking feeling in the NSO offices. Uncle Sam's coming...
The victims will be pleased to learn that they're all terrorists and criminals, as NSO keeps asserting that their spyware is only used against those.
One settler colony hacks another settler colony, the one that had co-sponsored its creation along with Britain, the mothership of all settler colonies. Honor amongst thieves? No such thing.
A book came out about a year ago by a fantastic academic about the history of settler colonialism by Israel in Palestine [1]. I'd suggest anyone who wants to learn more about Israel and values referenced record of history. The book is very well written, referenced (a sixth of the book is references) and comes highly regarded.
[1]
https://www.amazon.com/Hundred-Years-War-Palestine-Resistanc...
Your comment has nothing to do with the article. Stop shoving your sick agenda down our throats and save your "links" to yourself
uh oh. That's a paddlin'
â NSO says its intrusion system cannot work on phones with U.S. numbers beginning with the country code +1.â
Seems like they just need to add a similar patch for apple ids for emails ending in âstate.govâ. Not sure why this is such a big deal.
Come on, think about it. Doesn't work for phone numbers starting with +1? So, anyone who buys the right sim card is immune? A team of professional hackers can't find the if-else in the attack binary that enforces that to disable it? They're selling software to cybersecurity teams on the assumption that they can't crack it?
> A team of professional hackers can't find the if-else in the attack binary that enforces that to disable it?
It's probably easier than that. Seems like the kind of thing that would be in a config file (making this up, satire):
[No Spying Allowed - please do not change]
# Really, really, don't change this setting. We are not responsible if you do.
+1 # USA
+3542 # NSO Group
> They're selling software to cybersecurity teams on the assumption that they can't crack it?
No, I think they are telling journalists that their hands are clean, and it totally isn't their fault, not in a million years, that their customer changed their software.
My understanding is that it's not _just_ a tool, but a whole infrastructure around it that the clients use. So presumably, before deploying to a target, it would need to go through NSO infrastructure, so they could vet there.
Canadians go 'yay', finally some benefit of the big brother.
PS: I don't buy the explanation btw
As someone who doesnât have a +1 number I find it hard to take this comment seriously. But could it be possible that some state department employees work outside the US?
So it doesnât work on US phone numbers or doesnât work on +1 country code?
-confused Canadian because we share the +1 country code with USA under NANPA
which is pretty absurd since there's only a vague relationship in the modern SS7/PSTN between a phone's DID and where it might be physically located. In five minutes of work I could have a New Zealand number ring on my desk phone anywhere in the world.
Isn't the actual problem that a private company is using security holes that presumably Apple opened for three letter agencies to use?
Huh, it looks like suing a state-sponsored malware manufacturer _doesn't_ prevent them from continuing to hijack your devices. Live and learn, I suppose.
Suing is hardly the same as having the suit decided, grow up.
This is based on Apple notifying the employees based on prior behavior of NSO.
This post will be flagged shortly.